Help denying NAS internet unless specific port
-
I have a nas torrent box that connect to the internet via a vpn…
in my old router i have it setup, that it will deny all internet access unless its was going throw 2 specific ports...
im sure their is tons of better way to do that in here, but im trying for now to get it to works here the same way it was..allow nas box 10.1.1.10 internet access only on port 53 and 1723... router ip 10.1.1.1
here is my old routing table...
_IF="$(ip route | awk '/^default/{print $NF}')" iptables -I FORWARD -i br0 -s 10.1.1.10 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -p tcp -s 10.1.1.10 -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -p udp -s 10.1.1.10 --dport 53 -o $WAN_IF -m state --state NEW -j ACCEPT iptables -I FORWARD -i br0 -p tcp -s 10.1.1.10 --dport 1723 -o $WAN_IF -m state --state NEW -j ACCEPT
can i do the same in here…
in wan or lan section or both
how many rules i should have to make?thanks again
s0rcier -
You'd place the rule on the LAN interface.
You could create an alias that contains your local subnets and create a firewall rule at the top that allows the nas to talk to anything that isn't in the alias using port 53 the same for port 1723 using the invert match option.
I'd also put a deny rule directly underneath that blocks the nas to talk to any.
I like to see the hits against my blocks so I have block rules, but the default is to deny any at the bottom.
You could even create an alias for port 53 & 1723 and have a single allow rule.
pfSense reads the firewall rules top down, so as long as you block anything from your nas after it should work.
Just popped some rules on an unused VOICE lan, check out the rules attachment.
And I have just corrected the typo on my n_ipv4_local_subnets alias :)
-
wow! did see the picture till i log back on to reply … didnt know you can put a rules to exlude your local ip subnets like that ... i was trying wan_net and wan_address to block without success :(
i make 1 alias for my synology nas, so if i change is ip i just have the alias to update
thanks a lot :)
added picture as attachment not sure if works lol
-
didnt know you can put a rules to exclude your local ip subnets like that
Yeah, and you shouldn't.
You should block to the local subnet alias (and don't forget self) then pass any (or a subset of any).
If you want to block traffic, block it. Don't "block" traffic to a destination with pass rules to ! destination.
![Screen Shot 2017-02-22 at 12.59.35 AM.png](/public/imported_attachments/1/Screen Shot 2017-02-22 at 12.59.35 AM.png)
![Screen Shot 2017-02-22 at 12.59.35 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-22 at 12.59.35 AM.png_thumb) -
didnt know you can put a rules to exclude your local ip subnets like that
Yeah, and you shouldn't.
You should block to the local subnet alias (and don't forget self) then pass any (or a subset of any).
If you want to block traffic, block it. Don't "block" traffic to a destination with pass rules to ! destination.
What's the issue with using pass & !, I only ask as I may need to revisit my rules ?
The only problem I can see is when you add a new subnet and forget to add it to the alias.
I tend to like all my passes at the top of my firewall rules and blocks at the bottom.
-
There can be logic problems in the generated rule set.
I was preaching this basic concept of firewalling long before this was discovered:
https://redmine.pfsense.org/issues/6799
If that was a block rule to LAN net the traffic would just be blocked period.
-
Thanks dude.